Exaggerated VoIP Security Risks

By Rick McCharles on January 25, 2006 9:05 AM | | Comments (0) | TrackBacks (1)

I’ve read many articles over the last few years concerning the security vulnerabilities of VoIP. The latest flurry of VoIP security related articles is as a result of two alerts and fixes from Cisco that could impact Call Manager. Cisco Call Manager versions with, multi-level administration enabled, may be vulnerable to privilege escalations. The second alert states that “Vulnerable versions of Cisco Call Manager do not manage TCP connections and Windows messages aggressively, leaving some well-known, published ports vulnerable to Denial of Service attacks.” Cisco has released patches for both and apparently, there were no reports of either vulnerability being exploited. But the announcement lead to a new round of articles and commentaries exaggerating the risk of VoIP related Denial of Service attacks and other vulnerabilities.

Once again I’ve been reading articles that insist that Data Networks security and VoIP security are completely different and that if your enterprise uses IP Telephony you are at great risk. In my view this is pure nonsense.

Of course we must be vigilant but the fact is that if your organization has a well defined, implemented, monitored and enforced security policy related to your data network and systems then you’ve also mitigated most of the security risks associated with the implementation of an enterprise class IP Telephony system. Notice, that I stated “Enterprise Class” which excludes most of the PC based or residential type VoIP services that use the public Internet for transport.

Layering IP Telephony onto your data network does require that you identify potential vulnerabilities that may not be part of your present data security policy. You should work with your IP Telephony vendors to ensure that you are aware of, and have patched, all know security risks. Attention to robust AAA, signed configurations and firmware, DHCP inspection and voice / signaling encryption in addition to the previously mentioned sound security practices will mitigate most of the risks.

The risk must not be trivialized. There will always be the possibility that a previously unknown VoIP vulnerability will be exploited and it is understood that the consequences of such an exploit could be serious. But, I really wish the “techno-weenies” would tone down their alarmist rhetoric. The IP Telephony sky is not falling!

Rick McCharles
http://www.ric.ca/
StumbleUpon ToolbarStumble It! Add to Technorati Favorites AddThis Social Bookmark Button

Tags:

1 TrackBacks

Listed below are links to blogs that reference this entry: Exaggerated VoIP Security Risks.

TrackBack URL for this entry: http://www.ric.ca/mt/mt-tb.cgi/10

» VoIP Security Perspective from IP Communications and Technology

I'm amazed at the viral charateristics of the propagation of stories related to VoIP security risks. I don't really understand why that's the case. Perhaps it's due to the emotion of fear and the basic instinct of defending oneself against... Read More

Tracked on November 27, 2007 10:19 AM

Leave a comment

About this Entry

This page contains a single entry by Rick McCharles published on January 25, 2006 9:05 AM.

VoIP Quality Monitoring was the previous entry in this blog.

Implications of VoIP Growth Projections is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.

RIC Services
Powered by Movable Type 4.01

Search

About Me Real Greeting Cards

My Links